Security Experts:

Connect with us

Hi, what are you looking for?



Windows PowerShell Increasingly Abused by Attackers

The Windows PowerShell scripting tool is being increasingly used by malicious actors not only for data theft, but also for ransomware attacks, researchers have warned.

The Windows PowerShell scripting tool is being increasingly used by malicious actors not only for data theft, but also for ransomware attacks, researchers have warned.

Windows PowerShell is a task-based command line shell and scripting language that enables IT teams to control and automate the administration of the operating system and applications. Built on the .NET Framework, the tool is available for all current versions of Windows, and it has been included by default starting with Windows 7.

Experts believe cybercriminals are increasingly relying on PowerShell because this is not a common technique and IT administrators who are usually on the lookout for malicious binaries might overlook threats that abuse the scripting tool.

In late March 2014, Trend Micro came across a new malware family, which they dubbed CRIGENT (Power Worm). Distributed as Word or Excel documents, CRIGENT relies on PowerShell to retrieve system information from the infected device and infect other Word and Excel files stored on the affected computer.

In May, Trend Micro researchers identified a new attack leveraging PowerShell. The threat had been distributed with the aid of emails purporting to come from Duo Wei Times, a US-based Chinese newspaper.

In this case, PowerShell has been used to download files and bypass execution policies. First, potential victims are served a shortcut (.lnk) file, detected by Trend Micro as LNK_PRESHIN.JTT, containing PowerShell commands in its properties. When executed, LNK_PRESHIN.JTT downloads another PowerShell scripting file, TROJ_PRESHIN.JTT, which in turn downloads and executed the final payload, BKDR_PRESHIN.JTT.

In a blog post published on Sunday, Trend Micro detailed a piece of ransomware, TROJ_POSHCODER.A, which uses PowerShell to encrypt files. POSHCODER, which appears to target Internet users in the United States, uses AES to encrypt the files, and RSA 4096 bit encryption to exchange the AES key.

This is not the first time experts have indentified a piece of ransomware using PowerShell. Back in early March, researchers from Sophos warned of Russian ransomware that used Windows PowerShell to perform file encryption with “Rijndael symmetric key encryption.” At the time, experts discovered that the encryption keys could be easily obtained with the aid of PowerShell.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.